Being able to use your FIDO2 key (e.g. Yubikey) for OpenSSH is amazing, as long as you're on Linux. For some reason, Windows has very limited out the box functionality if any for this, mainly because the OpenSSH they ship with (C:\Windows\System32\OpenSSH) is very outdated, even on the most up to date Windows 11. Fortunately, Microsoft maintains a more up to date fork of OpenSSH for Windows that can be installed and is very easy to get FIDO2 SSH working.
I'm going to assume you've already made a SSH key on your FIDO2 key already. I may add instructions on doing it on Windows here in the future. Do note that you cannot add residential keys without using a workaround here: https://github.com/PowerShell/Win32-OpenSSH/issues/1915
Head over to https://github.com/PowerShell/Win32-OpenSSH/releases and download the latest release. 64 bit users (hopefully in the year of 2022) should get the Win64 MSI installer. Install it as normal. This should install it to C:\Program Files\OpenSSH.
Next up, hit Windows Key + R (the Run menu) and enter "SystemPropertiesAdvanced.exe". Head to Environment Variables, and in the System variables section below, edit the PATH. You will see the built-in OpenSSH path C:\Windows\System32\OpenSSH. Delete that. You may see %SystemRoot%\System32\OpenSSH, delete that as well. %SystemRoot% == C:\WINDOWS.
You'll now want to add a new entry and locate your new OpenSSH installation which should be C:\Program Files\OpenSSH. Add that in, and save all your changes and exit Advanced System Properties. Since you modified your system PATH, you may need to reboot. This is what mine looks like:
 |
| Screenshot of my PATH environment variable that includes the path C:\Program Files\OpenSSH |
This last part should be done automatically, but open the Run menu again (Windows Key + R) and enter services.msc to open up Services. Scroll down to the services "OpenSSH Authentication Agent" and make sure that's set to Automatic and Running. This is needed to communicate with your security key from the SSH agent.
From there, open up Windows Terminal and verify the SSH version you're running is the one you installed by entering ssh -V. If that checks out, the setup for SSH and FIDO2 should be straight forward like any other setup. You add your local private key using ssh-add ~/.ssh/id_ed25519_sk and enter the passphrase (not your security key's PIN). Then SSHing using that key to a remote server should bring up the Credential Manager UI prompt for your security key's PIN (if you have one):
 |
| Screenshot of the Credential Manager UI prompt on Windows 11 asking for my security key's PIN |
.png)
No comments:
Post a Comment
Commenting on this blog means you consent to Blogger's (Google) Privacy Policy and Terms of Service and including the policies for any captcha services used.
You also consent that moderation actions of this comment section are at the discretion of the moderators and all decisions made are final. Moderation actions may include, but are not limited to blocking your IP address, removing or hiding your comments, reports to Blogger/Google regarding your comments and any information about the offender if possible at which point the organisation may perform their own actions listed or not listed here, approving/denying comments in specific circumstances such as potentially abusive content or reviewing agreeable or disagreeable opinions/topics, and if need be reports to local or national law enforcement to the fullest extent.
In general, be nice, don't be rude, and be civil.